Torsion point attacks on “SIDH-like” cryptosystems

. Isogeny-based cryptography is a promising approach for post-quantum cryptography. The best-known protocol following that approach is the supersingular isogeny Diﬃe-Hellman protocol (SIDH); this protocol was turned into the CCA-secure key encapsulation mechanism SIKE submitted to NIST post-quantum standardization process, which has re-mained in the third round as an “alternate” candidate. Isogeny-based cryptography generally relies on the conjectured hardness of computing an isogeny between two isogenous elliptic curves, and most cryptanalytic work referenced on SIKE’s webpage exclusively focuses on that problem. Interestingly, the hardness of this problem is suﬃcient for neither SIDH nor SIKE. In particular, these protocols reveal additional information on the secret isogeny, in the form of images of speciﬁc torsion points through the isogeny. This paper surveys existing cryptanalysis approaches exploiting this often called “torsion point information”, summarizes their current impact on SIKE and related algorithms, and suggests some research directions that might lead to further impact.


Introduction
Isogeny-based cryptography is a promising candidate for post-quantum cryptography. It originates from Courveignes's seminal work [12] where he introduced the notion of hard homogenous spaces and instantiatied it with ordinary elliptic curves, and Charles, Goren and Lauter's hash function [9] (CGL) based on isogenies of supersingular elliptic curves. In 2011 de Feo and Jao introduced SIDH [23] and in the recent years field has blossomed for example with the introduction of CSIDH [7] (the only post-quantum scheme which provides non-interactive key exchange), SQISign and many more isogeny-based schemes. SIKE [21], which is a key encapsulation mechanism derived from SIDH, is currently a 3rd round alternate candidate in NIST's post-quantum standardization project.
Most isogeny-based protocols today are based on the hardness of computing isogenies between supersingular elliptic curves. However, only CGL hash function [9] and the GPS signature scheme [19] only rely on this "pure" isogeny problem. In SIDH protocol, parties send over torsion point images, which motivates the study of the following problem: Problem 1.1 (Supersingular Isogeny with Torsion (SSI-T)). For a prime p and smooth coprime integers A and B, given two supersingular elliptic curves E 0 /F p 2 2 and E/F p connected by an unknown degree-A isogeny φ : E 0 → E, and given the restriction of φ to the B-torsion of E 0 , compute φ.
In [23] a more specific version of the SSI-T problem is called the CSSI problem. Computing isogenies between supersingular elliptic curves is a natural algorithmic question which has been studied for a long time, but the SSI-T problem is specific to SIDH and its variants. It is natural to wonder how the SSI-T problem relates to the pure isogeny problem. The aim of this survey paper is to give a summary of results which exploit the extra information in various ways. Our goal is to explain these techniques, assess their impact and warn designers of future protocols to take these results into account. The current state of the art is that SIKE is not affected by these attacks.
The structure of the paper is as follows. In Section 2 we recall basic mathematical results on supersingular elliptic curves and quaternion algebras and the SIDH protocol. In Section 3 we discuss active attacks on SIDH, namely the GPST attack [18] and its extensions. In Section 4 we discuss how the endomorphism ring computation problem relates to the security of SIDH and the SSI-T problem in general. In Section 5 we discuss passive torsion-point attacks which originate from [29] and were later improved significantly in [13]. In Section 6 we discuss the quantum hidden-shift attack from [26]. Finally, in Section 7 we discuss open problems which could shape the future of torsion-point attacks.

Supersingular isogeny Diffie-Hellman and its variants
We refer to [31] and [17] for general background on elliptic curves and isogenybased cryptography. The following high-level description of SIDH [23] and some of its variants relevant to Problem 1.1 are taken nearly verbatim from [13, Section 2.1].
Recall that E[N ] denotes the N -torsion subgroup of an elliptic curve E and [m] denotes scalar multiplication by m. The public parameters of the system are two smooth coprime numbers A and B, a prime p of the form p = ABf − 1, where f is a small cofactor, and a supersingular elliptic curve E 0 defined over The protocol then proceeds as follows: 4. Alice and Bob use the given torsion points to obtain the shared secret curve The SIKE proposal [21] suggests various choices of (p, A, B) depending on the targeted security level: All parameter sets use powers of two and three for A and B, respectively, with A ≈ B and f = 1. For example, the smallest parameter 2 216 set suggested in [21] uses p = · 3 137 − 1. Other constructions belonging to the SIDH 'family tree' of protocols use different types of parameters [1,11,30].
We may assume knowledge of End(E 0 ): The only known way to construct supersingular elliptic curves is by reduction of elliptic curves with CM by a small discriminant (which implies small-degree endomorphisms: see [8,27]), or by isogeny walks starting from such curves (where knowledge of the path reveals the endomorphism ring, thus requiring trusted setup). A common choice when p ≡ 3 (mod 4) is j(E 0 ) = 1728 or a small-degree isogeny neighbour of that curve [21]. Various variants of SIDH exist in the literature.
In [1] the authors propose an n-party key agreement. The idea is to use party's secret isogeny has degree `e i , the i-th participant provides the images of Q i a basis of the n `e j /`e i torsion, and f is a small cofactor. They choose the j=1 j i starting curve to be of 1728 and choose the e i in such a way that all the `e i are i of roughly the same size. This is an example of an SIDH-like protocol; for this protocol to be secure it is required that Problem 1.1 be hard when A = `e 1 and Another example of a SIDH-like scheme is B-SIDH [11]. In B-SIDH, the prime has the property that p 2 − 1 is smooth (as opposed to just p − 1 being smooth) and A ≈ B ≈ p. It would seem that choosing parameters this way one has to work over F p 4 but in fact the scheme simultaneously works with the curve and its quadratic twist (i.e., a curve which is not isomorphic to the original curve over F p but has the same ) and avoids the use of extension fields. The main 2 advantage of B-SIDH is that the base-field primes used can be considerably smaller than the primes used in SIDH.

GPST and variants
Since SIDH is a key exchange analogous to classical Diffie-Hellman, it is a natural question whether parties could use static keys. In 2016 Galbraith, Petit, Shani and Ti [18] proposed an active attack on SIDH if one party has a static key. The main idea of the attack is to send over maliciously generated torsion points and check whether the key exchange was successful or not. After every key exchange the adversary will learn one more bit from the secret key.
In order to describe the attack we define the following oracle which abstracts the method described above.
Definition 3.1. Let α be a secret integer. Let E, E 1 , E 1 0 , P, Q be a tuple such that P, Q generate E 1 [A]. Then the oracle returns "true" if E 0 ∼ = E 1 /hP + αQi 1 and returns "false" otherwise.
The motivation for this oracle comes from the way the SIDH key exchange is computed. Alice receives φ B (P A ) and φ B (Q A ) and compoutes the curve The key exchange is successful if both parties computed the same curve (up to isomorphism). Unfortunately, there is no way to tell without knowing φ B whether the points sent over are truly the images of P A and Q A under φ B or are just some other basis of E B [A]. For simplicity we suppose that A = 2 n but the attack generalizes to arbitrary smooth degree isogeny.
There is a pretty simple attack if one is allowed to send over points of order smaller than A. Namely we do a honest key exchange where we send over This will essentially reveal the isogeny path from E B to E AB , from which the secret is easily deduced. However, such an attack is easily detectable as the order of points can be checked by using pairings.
Let P A + αQ A be the secret kernel generator of Alice. The first step of the attack is a genuine key exchange: Bob chooses an isogeny φ B : E → E B with kernel P B + βQ B , sends over φ B (P A ), φ B (Q A ) and computes the common curve Our first goal is to determine the least significant bit of α. The trick is to send over E B and points R , S + 2 n−1 R. Then Alice computes E B /hR + α(S + 2 n−1 R)i which is isomorphic to -E B /hR + αSi if and only if α is even -E B /hR + αS + 2 n−1 Ri if and only if α is odd.
Let E AB = E B /hR+αSi. Now sending (E, E B , R, S +2 n−1 R, E AB ) to the oracle determines the least significant bit of α: if the oracle returns true, then α is even, otherwise α is odd. P n−1 In order to compute the remaining bits of α, we write α in the form α i 2 i . i=0 P k−1 Let s k denote the partial sum s k = α i 2 i . Suppose now that we have already i=0 computed s k and our goal is to compute α k . Then we send over the following points: This implies that knowing s k we can compute α k by one oracle call. It is clear that after n calls to the oracle we retrieve the static secret key α.
There are various countermeasures against the GPST attack. The most efficient and standard way is to use the Fujisaki-Okamoto transform. This is how the IND-CCA2-secure scheme SIKE [21] is obtained. However, for some applications this is not desirable, namely when both parties' keys are static.
In 2017 Azarderaksh et al. [2] introduced a variant of SIDH called k-SIDH. The main idea is the following. Alice and Bob choose k different secret isogenies (al of Alice's isogenies are of degree 2 m and all of Bob's isogenies are of degree 3 l ) and they compute k 2 SIDH key-exchanges (as each pair of secrets corresponds to one key exchange). Finally, they hash the k 2 different j-invariants to obtain a shared secret. The efficiency of k-SIDH is navigated by the size of k. Public key sizes grow linearly in k and the number SIDH key exchanges is a quadratic function of k. In the original paper [2] the authors gave a brief security analysis and suggested to use k = 60. Such a large k makes the scheme very impractical, so it is important to have a clearer security analysis of k-SIDH. In particular, is 2-SIDH secure? In [15] Dobson et al. demonstrated an attack against 2-SIDH which generalizes to larger k. The complexity of the attack is exponential in k but it breaks the scheme in polynomial time for small k. They suggest that k = 46 is already potentially a secure choice. Their attack in the k = 2 case is far from trivial as the GPST attack does not generalize in a straightforward manner (it gives an exponential complexity even in the k = 2 case). Their key idea is to compute additional information at each step. In GPST one only has to keep track of the computed bits of α. In the 2-SIDH attack on the other hand, one has to compute each step in the isogeny graph plus preimages of certain points. The bottleneck of the algorithm is the computation of these various preimages as they require a lot of oracle calls.
Since k-SIDH is quite impractical, it is natural to attempt to speed it up. Jao and Urbanik [35] proposed a way of lowering the number of key exchanges by using automorphisms of the starting curves. This way one secret corresponds to three curves which lowers the size of the public keys and the communication cost. However. the attack from [15] can be extended to the Jao-Urbanik scheme [3] in a way that actually exploits the relationship between the three isomorphic curves. If you compare state-of-the-art attacks on both schemes, then the analysis in [3] suggests that k-SIDH is actually more efficient (this may change in the future if an improved attack on k-SIDH cannot be adapted to the Jao-Urbanik scheme). Jao and Urbanik also suggest to switch from 2-isogenies to 11 or 13-isogenies as it increases the attack complexity more than it increases computational costs.
It is still an open problem whether there exists some variant of k-SIDH which is efficient and avoids these known attacks.

Fault attacks
In GPST attack and its variants, one party purposely produces erroneous torsion points, and recovers information on the secret key from (changes in) the shared curve E AB . When fault attacks are feasible, an alternative approach is to force the other party to make faulty computations.
In SIDH protocol, isogenies are computed in a sequential way, as the composition of several low degree isogenies. In [20], a loop-abort fault attack is described where one party can force the other one to stop that computation after an arbitrary number of steps, and return the current curve rather than the final one. This provides an oracle similar to the one used in the GPST attack, and the key can be recovered similarly.
In [34], another fault model is considered where some register value is replaced by a random value during computation. If this happens to a register containing part of the x-coordinate of P B , then the resulting x coordinate is still a point on the curve with a probability roughly 1/2, but is likely to have an order that is not coprime with deg φ A . As a result its image will reveal part of the isogeny, more precisely multiplying the image by the cofactor (its order divided by the gcd between its order and deg φ A ) produces a point in the kernel of its dual. We refer to [34] for details.

Reduction to the endomorphism ring computation problem
Computing the endomorphism of a supersingular elliptic curve is a classical problem in computational number theory. Given an elliptic curve E defined over a finite field of characteristic p, the problem is to find End(E). The first algorithm to solve this is described in Kohel's thesis [25] and was later improved by Delfs-Galbraith [14] to a running time of Õ(p 1/2 ). The most recent algorithm [16] is a slight variation with essentially the same complexity O(log(p) 2 p 1/2 ). The best known quantum algorithm is due to Biasse, Jao and Sankar [4] and has a running time of Õ(p 1/4 ). It is a natural to ask how finding isogenies between supersingular elliptic curves relates to computing endomorphism rings. The KLPT algorithm [24] implies that if one knows the endomorphism rings of both curves, then one can compute an isogeny between them. For cryptographic applications, a much more natural question is the following. Let φ be a secret isogeny of degree d between E 1 and E 2 . Find φ if the endomorphism rings of E 1 and E 2 are known.
Let us first recall some facts about isogenies between supersingular elliptic curves. Let E 1 , E 2 be supersingular elliptic curves defined over F 2 . Then the set p Hom(E 1 , E 2 ) of isogenies between E 1 and E 2 has a very specific structure. First, Hom(E 1 , E 2 ) is a Z-lattice as the integer linear combination of isogenies from E 1 to E 2 is again an isogeny from E 1 to E 2 . Furthermore, let σ 1 ∈ End(E 1 ), σ 2 ∈ End(E 2 ) and φ ∈ Hom(E 1 , E 2 ). Then φ • σ 1 ∈ Hom(E 1 , E 2 ) and σ 2 • φ ∈ Hom(E 1 , E 2 ). In other words Hom(E 1 , E 2 ) is a left End(E 2 ) and a right End(E 1 )module. In particular the next lemma shows that Hom(E 1 , E 2 ) is isomorphic to a left ideal of End(E 2 ): One can also show that the rank of Hom(E 1 , E 2 ) as a Z-lattice is 4. The KLPT algorithm also implies that if the endomorphism rings of E 1 and E 2 are known, then one can compute a Z-basis of Hom(E 1 , E 2 ) as it is isomorphic to a connecting left ideal. Note that such a basis is given as elements of the quaternion algebra and not as rational maps as their degree can be large and not smooth (thus writing down the coefficients of the rational functions would take exponential time in log p).
The first algorithm relating endomorphism ring comutation and computing isogenies of a specific degree is from [18]. The main observation is that in SIDH √ the secret isogeny has degree approximately p. Heuristically, such an isogeny should be in general the shortest isogeny between two randomly selected curves, which gives the following attack. Compute a Z-basis of Hom(E 1 , E 2 ) using the KLPT algorithm. Then find the shortest element in Hom(E 1 , E 2 ) using the LLLalgorithm. Heuristically, this should be the secret isogeny one is looking for. The authors demonstrate this with experiments in MAGMA.
The algorithm implies that in SIDH if the endomorphism ring of E and E A is known, then one can recover the secret isogeny φ A in polynomial time. However, in B-SIDH the respective curves are no longer close (the curves are roughly p apart), thus the algorithm from [18] fails. It is a natural question whether one can extend the algorithm from [18] to be applicable to B-SIDH as well. This is especially important because for B-SIDH such an attack would be more efficient than a meet-in-the-middle attack (which is currently not true for SIDH).
The main idea of [33] is that one can exploit the torsion information provided to generalize the attack from [18] to a wide variety of parameters. Note that the algorithm in [18] did not use the torsion information at all; it solely relied on the curves being close. We sketch the attack from [33]. Similarly, one computes an LLL-reduced basis of Hom(E 1 , E 2 ), let these be φ 1 , φ 2 , φ 3 , φ 4 . Then the secret P 4 isogeny φ can be written as φ = i=1 x i φ i where the x i are integers. Using the torsion information provided one can determine the x i modulo B by solving a system of linear equations. Why is this information useful? The reason is that an LLL-reduced basis has the property that one can bound the x i using the smallest degree element in Hom(E 1 , E 2 ) and the degree of the secret isogeny. This way if |x i | < B/2, then a modulo B solution can be uniquely lifted to an integer √ solution. This way one can retrieve the secret isogeny whenever A/B < 8 p. When looking at SIDH or B-SIDH as a key exchange, one can assume that B > A, so this should apply to any reasonable instantiation of SIDH.
It is still an open problem whether one can recover a secret isogeny of degree d between curves with known endomorphism rings in general. Indeed, both previously described algorithms use some extra information, namely closeness of the curves or torsion-point information.

Shifted endomorphism attacks
In this section we discuss algorithms for the SSI-T problem. The central questions are the following: -For which parameters A, B, p can one solve SSI-T in polynomial time? -For which parameters A, B, p can we do better than generic meet-in-themiddle algorithms?
The first work in this area is Petit's algorithm [29], which was first improved in [6] and then further improved in [13]. The starting point is the following. Let φ : E 1 → E 2 be an isogeny of degree A and suppose we know the action of φ on the B-torsion. Let θ ∈ End(E 1 ) (given by some efficient representation). Then one knows how φ • θ • φ acts on E 2 [B]. Furthermore, this is also true for any τ of the form φ • θ • φ + [d] for any integer d. Why is this useful? The key idea of [29] is to choose θ in a way that deg(φ Then one can decompose τ as ψ • η where deg(ψ) = B and deg(η) = e. One knows ψ as the action of τ is known on E 2 [B], and η can be computed by a generic meet-in-the-middle algorithm. Finally, one can obtain ker(ψ) as the intersection ker(τ − The key part of the attack is the appropriate choice of θ, which requires knowledge of (at least part of) the endomorphism ring of E 1 . However, in many 2 3 applications E 1 is the special curve defined by the equation y = x +x for which the structure of the endomorphism is known. Finding a suitable endomorphism θ ∈ End(E 1 ) then is equivalent to finding an integer solution (a, b, c, d, e) with small e to the following equation: There is a natural strategy for solving this equation. First one solves it modulo A 2 by choosing d and e appropriately. Then one checks whether Be − d 2 is a square modulo p. If not, then one chooses a different d and e. If it is, then one ). Finally, one checks whether p is the sum of two squares. If yes, then one finds a, b using Cornacchia's algorithm.
If not, then one starts over with a new d and e. It can be shown that heuristically, one does not need to iterate too many times. This is a simple algorithm 2 but it fails for many parameter sets. The reason for this is that c is usually of size O(p 2 ) meaning that for many parameters even though one does not get −c local obstructions, the number A 2 is negative, hence never a sum of two p squares. In [29] it is shown that this does not happen when A > p and B > A 4 in which case one can solve SSI-T in polynomial time.
Follow-up papers improve on Petit's original algorithm by relaxing the condition on θ and relating the algorithm to different equations. In [6] the authors use triangular decompositions and certain endomorphisms with many eigenvalues to derive the following equation: In [13] the authors derive two new improvements: the dual isogeny method and the Frobenius method. The dual isogeny method also reduces to Equation 2 but uses a more direct approach. Namely if one can find θ such that deg(φ can be decomposed as τ = ψ • η • ψ 0 where deg(ψ) = deg(ψ 0 ) = B and deg(η) = e. The isogenies ψ and η can be computed in a similar fashion as before. The isogeny ψ 0 can be computed by essentially looking at τ (E 2 [B]). Another way to understand this approach is the following. Even though τ is not known apriori, its action on E 2 [B] is known. Thus one can look at τ as a 2 × 2 matrix with entries from Z/BZ. One can derive ψ by looking at the kernel of this matrix and one can compute ψ 0 by looking at the image of this matrix. One can solve Equation 2 with the same method as the one presented for solving Equation 1. This provides a polynomial-time method whenever B > pA. However, heuristics show that a solution should exist for a much wider variety of parameters for example when p ≈ AB and B > A 4 , but finding such a solution is still an important open problem. Why would an algorithm to compute these solutions be interesting? In variations and applications of SIDH one often uses special primes in order to be able to carry out computations over small extension fields. In particular there are two classes of primes which are used: SIDH primes of the form p = ABf − 1 where f is a small cofactor and B-SIDH primes where p 2 − 1 = AB and A, B are smooth. For SIDH primes the previous approaches fail as in both approaches B > p. For B-SIDH primes the dual isogeny approach already has some impact: namely when B > A 2 , then one can solve the SSI-T problem in polynomial time. This has no impact on the actual scheme proposed in B-SIDH [11] because there the parameters are balanced.
The main idea of the Frobenius approach outlined in [13] is the following. In the dual approach η needed to have small degree, as it was computed by a generic meet-in-the-middle algorithm. However, when the degree of η is a small multiple of p, then it can also be computed by applying the Frobenius and then brute-forcing the rest. This results in an alternative equation: Now one can solve this equation by first setting c = 0 and d = pd 0 and dividing by p. Then one obtains the equation Now the solving strategy is similar as before but one does not have to solve B 2 e−pd 02 modulo p this time, just modulo A 2 and then hope that is a sum A 2 of two squares. If not, then one can again iterate until a solution is found. This algorithm is implemented and can be found at https://github.com/ torsion-attacks-SIDH/6party. The main appeal of the Frobenius method is that it runs in polynomial time whenever B > √ pA 2 . In particular this applies when p ≈ AB and B > A 5 . Note that it still does not apply to SIKE as there A ≈ B. However, the choice of choosing balanced parameters in SIKE is essentially is only motivated by having the same security level for Alice and Bob. In many SIDH applications the parameters are not balanced [5], [22] and future protocols nay arise using unbalanced parameters.
All the previously described attacks run in polynomial time. However, it also makes sense to look at exponential-time attacks which outperform generic meetin-the-middle algorithms. A general framework for these types of attacks is the following. One first guesses part of the secret isogeny and then one runs a torsionpoint attack possibly with a larger e. If the torsion-point attack fails, then one guesses a different starting isogeny. This way one can obtain improvements for parameter sets which are less unbalanced. The state-of-the-art in this regard is summarized in Figure 1.  Performance of attacks from [13]. Here A ≈ p α and B ≈ p β . Parameters (α, β) above the red, orange and yellow curves are parameters admitting a polynomial-time attack, an improvement over the best classical attacks, and an improvement over the best quantum attacks respectively. Parameters below the upper dashed line are those allowing AB | (p 2 − 1) as in [11]. Parameters below the lower dashed line are those allowing AB | (p − 1) as in [21,22].
All these attacks assume that the starting curve is a special curve, namely the curve with j-invariant 1728 (the attack extends naturally to starting curves close to this curve). Starting from a random curve thwarts all these attacks. However, in certain scenarios it is not easy to detect that the starting curve was honestly generated (e.g., by taking a random walk starting from the curve 2 3 y = x + x). Thus a natural question is the following: given A, B, p can one maliciously construct a starting curve for SIDH from which one can retrieve the secret key in polynomial time? When B > A 2 , then the answer is yes. The main idea is looking at Equation 2 from a different perspective. In previous approaches one was looking for a specific θ on a specific starting curve. Instead one can try to look for the curve and the endomorphism together. This way one can look for θ in the entire quaternion algebra B p,∞ instead of restricting to one maximal order. This way we get Equation 2 but a, b, c do not need to be integers, only 2 pa + pb 2 + c 2 has to be an integer as it is the norm of an endomorphism (only integral elements of B p,∞ arise as endomorphisms). This way we can solve the equation modulo A 2 and then one is left with the equation: Since we are now looking for rational solutions, we find a nontrivial zero of the B 2 e − d 2 is a quadratic residue modulo p, so again we have to iterate a couple of times for this to occur. Then one can find a solution using Simon's algorithm [32]. This way one has found θ but not the curve. Finding the curve can be obtained by finding a maximal order containing θ and translating it to a supersingular elliptic curve whose endomorphism ring is isomorphic to that order. In [13] the curves containing such a θ are called (A, B)-backdoor curves. The number of these curves is exponential in log p. Note that the condition for the existence of such a curve is B > A 2 , so it does not depend on p. However, again this seemingly does not apply to balanced SIDH parameters. Even though one cannot break SIDH in polynomial time from a backdoor starting curve, in [13] it is shown that one can derive algorithms which even though are exponential, are faster than meet-in-the-middle algorithms. This seems to suggest that against all intuition it is probably safer to instan- 2 3 tiate SIDH starting from y = x + x, then from a random curve if there is no guarantee that the curve was generated honestly. Note that for SIDH one can actually derive a random starting curve by multiparty computation techniques but in many applications such an approach might not be feasible. Finally, all these methods are ineffective if one could hash onto the supersingular isogeny graph, i.e., generate a random supersingular curve whose endomorphism ring is unknown to everyone. The techniques of this section again highlight the importance of the hashing problem.

Quantum hidden shift attack
In this Section we present a quantum subexponential algorithm for the SSI-T problem for certain parameter sets. One of the main fundamental differences between SIDH and CSIDH is that CSIDH is clearly based on a group action, √ namely the class group of Z[ −p] acts freely and transitively on supersingular elliptic curves defined over F p . It is well-understood how to compute the action of an ideal class of smooth norm on a given curve E. Furthermore, since the class group is commutative, the action provides a commutative group action which realizes the Hard Homogeneous Spaces concept of Couveignes [12]. In the SIDH setting one does not have similar natural group action due to the noncommutative nature of the full endomorphism ring (quaternion maximal orders have class groups but they are non-commutative). The implications of this are twofold: on one hand this makes SIDH less flexible (i.e., it is harder to derive further schemes from the core idea) on the other hand it possibly makes it immune to Kuperberg's algorithm.
There is however a different framework that applies to general supersingular elliptic curves as well. Let f : I → O be an injective one-way function and let G be a finite abelian group acting freely and transitively on I. Furthermore, suppose that if f (i) is known (but i is not necessarily known), then one can compute f (g * i). We call such an oracle a malleability oracle. In [26] it is shown that if one has access to a malleability oracle, then one can invert f in subexponential time. It is also shown that this framework applies to CSIDH and is essentially the same attack as the one proposed by Child, Jao and Soukharev [10]. However, surprisingly one can apply this framework to the SSI-T problem as well.
Let E be a supersingular elliptic curve. Let I be the set of cyclic subgroups of order A, and let O be the set of supersingular elliptic curves at distance A from E. Then f : I → O is defined by the mapping f (hKi) = E/hKi. Let θ be an endomorphism of E and let E/hXi be a curve of distance A from E. Then if the degree of θ is coprime to A, then E/hθ(X)i is also a curve of distance A from E. Let O = End(E). Then this idea defines an action of (O/AO) * on the curves of distance A from E. It can be shown that (O/AO) * ∼ = GL 2 (Z/AZ). Since θ and λθ where λ ∈ Z define the same action, it is actually more natural to consider the action of P GL 2 (Z/AZ) on the set of curves of distance A from E. There are several questions at this point: 1. Is f injective? 2. Since P GL 2 (Z/AZ) is non-commutative, how to choose the acting group G? 3. How do you compute E/hθ(X)i without knowing X?
The first two questions are mere technicalities. One can split I in a way so that for each subset f is injective. In addition one can restrict to an abelian subgroup of P GL 2 (Z/AZ) to make the action free and transitive on each of these subsets.
The answer to question 3 is more involved and this is the only part where the attack uses torsion point images. Let E X = E/hXi and let φ : E → E X be a secret isogeny of degree A. Suppose we know the action of φ on E[B]. Our goal is to compute E/hθ(X)i for an endomorphism θ. One has a commutative diagram described in Figure 2. Instead of focusing on the isogeny from E to E/hθ(X)i we can go the other way on the diagram. Namely from E to E X and then from E X to E/hθ(X)i. The second step can be computed if the degree of θ divides B as we know the action of φ on the B-torsion. However, in general θ will not satisfy this property. The way to go around this issue is the following. Since we are working in O/AO we can choose a different representative of the coset containing θ. This means that we can switch from θ to any θ 0 which has the exact same action on the A-torsion. Now the goal is to find a θ 0 ∈ End(E) such that θ 0 = θ + Aθ 00 where θ 00 ∈ End(E) and the degree of θ 0 divides B. This can be achieved for special θ-s which one has to take into account when selecting the subgroup G of P GL 2 (Z/AZ) for the group action. A particular choice for which this feasible is to use θ-s from Z[i] and the starting curve E with j-invariant 1728. Further improvements are also possible by using the Frobenius isogeny in a similar fashion to shifted endomorphism ring attacks. The conclusion is that the attack runs in subexponential time whenever B > pA 4 .
Even though this is a worse attack complexity then the ones achieved with shifted endomorphisms, this attack highlights the fact that for certain parameter sets an efficient group action on the SIDH keyspace is possible. This further highlights how the SSI-T problem is different from the pure isogeny problem.

Open problems
There are various open problems that remain. Probably the most interesting questions is whether shifted endomorphism attacks and hidden shift attacks can be combined in some fashion. So far these attacks exploit torsion information in a different fashion so a common approach could be beneficial. Furthermore, there is plenty of room for improvement in both approaches separately. In the dual isogeny approach, finding better solutions to Equation 2 is a clear path for improvement. Furthermore, in [13] there is an outline of a uniform approach which encompasses both the dual and the Frobenius approach. Possibly a more general viewpoint could also lead to improvements.
In the quantum attack the current approach only utilizes a small fraction of P GL 2 (Z/AZ) in order to fit the framework needed for Kuperberg's algorithm. A natural way of extending this result could be to use a larger acting group and relating the issue of finding the secret isogeny to a hidden subgroup problem as opposed to a hidden shift problem.
Finally, all these approaches apply to elliptic curves. It is natural to study higher genus analogues of the SSI-T problem and whether the approaches generalize to higher genera.

Conclusion
SIKE's security relies on the "pure" isogeny problem (given two curves, find an isogeny between), but also on a variant which, among other specificities, provides the attacker with the images of some torsion points through the isogeny.
Several attacks have exploited similar information, starting from the GPST active attacks [18], continuing with torsion point passive attacks [13,29] and most recently an attack contradicting the folklore intuition that hidden shift attacks cannot be applied to SIDH-like protocols because of their non commutative nature [26]. These attacks have improved over time: while [29] only worked for very unbalanced parameters, the latest improvements from [13] lead to a quantum attack with complexity similar (up to polylogarithmic factors) to previously known (non torsion point) attacks for SIKE parameters and a polynomial attack on a group key exchange from [1] for any number of parties greater than 6.
Future will tell whether these and other ideas will eventually affect the security of SIKE.